KBS URI #129
KBS URI #129
Conversation
There was a problem hiding this comment.
@Xynnn007 Thanks a lot!. This is an important PR and plays a great role in our follow-up work. Here are some small questions and comments...
BTW, the changes in this PR will make the current sample_keyprovider unusable. Is there a plan to modify the sample_keyprovider?
Xynnn007
force-pushed
the
feat-uri
branch
2 times, most recently
from
d215eca
to
0050dcd
Compare
|
@jialez0 Thanks a lot for deep diving... I will update the keyprovider and related documents in the next PR. For sample-key provider, there might be two ways:
I prefer way 2, some related work has already been done in image-rs confidential-containers/guest-components#85 . And we can get rid of those encrypted images using sample-kbc then (if any). Finally we can mark sample kbc deprecated in code and give a compiling warning or directly deleted the related code |
|
Hi @stevenhorsman @liudalibj this pr will influence the behavior of |
| string KbcName = 1; | ||
| string KbsUri = 2; | ||
| string ResourceDescription = 3; | ||
| string ResourceUri = 1; |
There was a problem hiding this comment.
I changed the Proto here, as kbsUri is part of the resourceUri. KbcName now still matters and I think we can open an issuer later to talk about https://github.com/confidential-containers/attestation-agent/issues/99 on both image-rs side and kata-agent side.
Xynnn007
force-pushed
the
feat-uri
branch
2 times, most recently
from
e01a7bf
to
6febca2
Compare
| @@ -62,6 +63,18 @@ pub mod tests { | |||
| #[allow(dead_code)] | |||
| pub const RESOURCES_NAME: &str = "aa-offline_fs_kbc-resources.json"; | |||
|
|
|||
| pub const KBS_URI_PREFIX: &str = "kbs://example.org/"; | |||
There was a problem hiding this comment.
So if we use the offline_fs_kbs the resource request must have kbs://example.org/ in it? That seems a bit inconvenient. Wouldn't it be better to just ignore whatever KBS address is provided?
There was a problem hiding this comment.
We do not need the kbs://example.org/ in it. We will ignore the KBS address if offline_fs_kbc is used. Here the const is defined to work with resource_path! macro which is to convert a whole uri into a path without KBS address.
| @@ -49,7 +49,9 @@ impl KbcInterface for OnlineSevKbc { | |||
| } | |||
|
|
|||
| async fn decrypt_payload(&mut self, annotation_packet: AnnotationPacket) -> Result<Vec<u8>> { | |||
| let key = self.get_key_from_kbs(annotation_packet.kid).await?; | |||
| let key = self | |||
| .get_key_from_kbs(annotation_packet.kid.resource_path()) | |||
There was a problem hiding this comment.
So we aren't using the resource uri for image decryption keys?
There was a problem hiding this comment.
Yes, we are. In online-sev-kbc, it also defines its own kbs address like cc-kbc and the get_key_from_kbs only makes a gRPC request containing the key id to kbs. So here we only need to extract the <repository>/<type>/<tag> (what resource_path() does) and ignore the uri of kbs. (like get_resource_from_kbs does)
Also, get_resource_from_kbs is a little different from get_key_from_kbs. The later will flush the memory after using the key using Zeroizing
There is some different of both api which confuses, let me fix this.
Xynnn007
force-pushed
the
feat-uri
branch
2 times, most recently
from
97806ac
to
76d6acd
Compare
Yes, we need to remove the hardcodes in image-rs and give a configuration of image-rs for the resources needed. This work should be delayed after 0.4.0 is released. Let's perfect the system for 0.5.0 : ) |
|
There are some conflicts in the code for ttrpc things.. let me finish some tiny fixes and then rebase the code. |
Xynnn007
force-pushed
the
feat-uri
branch
2 times, most recently
from
1bc6918
to
c2a99f0
Compare
@Xynnn007 Sounds great! Since the changes in this PR will affect the code availability of cc @fitzthum |
|
@Xynnn007 In view of the fact that the KBS address part of the KBS URI is not actually consumed at present, we actually use the KBS address specified in the This can avoid confusion for users now. |
Yea, I have no preference for either option
Does it look good? |
@Xynnn007 That's OK. In fact, whether we use Meanwhile, in |
key_id in the AnnotationPacket will follow the KBS URI format. Different KBCs will index the corresponding keu due to the uri. Signed-off-by: Xynnn007 <[email protected]>
now get_resource API receives a kbs uri to indicate the confidential resource to be requested Signed-off-by: Xynnn007 <[email protected]>
Signed-off-by: Xynnn007 <[email protected]>
Signed-off-by: Xynnn007 <[email protected]>
Signed-off-by: Xynnn007 <[email protected]>
Now if the request resource `type` in kbs uri is `"client-id"`, the responsed resource will be the client id. Signed-off-by: Xynnn007 <[email protected]>
Signed-off-by: Xynnn007 <[email protected]>
Signed-off-by: Xynnn007 <[email protected]>
please refer to https://github.com/confidential-containers/attestation-agent/issues/130 for more information Signed-off-by: Xynnn007 <[email protected]>
Signed-off-by: Xynnn007 <[email protected]>
Signed-off-by: Xynnn007 <[email protected]>
To avoid confusing, a uri pointing to a resource is named kbs resource uri. A kbs uri stands for the uri of the kbs. Signed-off-by: Xynnn007 <[email protected]>
Signed-off-by: Xynnn007 <[email protected]>
Signed-off-by: Xynnn007 <[email protected]>
As confidential-containers/guest-components#191, this PR includes the following
Please notice that all the
<kbs-addr>field in a kbs uri now will be ignored, all kbc will use its own memberkbs_urlinstead.Also, this PR modifies the gRPC API of
get_resource, as duplicated information is carried in the kbs uri